1.0.0 Release IaaS

config/services/containers/infra/postgresql/build/postgresql.containerfile.j2

@@ -0,0 +1,12 @@
+ARG PG_VER={{ version['containers']['postgresql'] }}
+
+FROM docker.io/library/postgres:${PG_VER}
+
+ARG VECTORCHORD_VER={{ version['containers']['vectorchord'] }}
+
+RUN apt update && \
+    apt install -y wget postgresql-${PG_MAJOR}-pgvector && \
+    wget -nv -O /tmp/vchord.deb https://github.com/tensorchord/VectorChord/releases/download/${VECTORCHORD_VER}/postgresql-${PG_MAJOR}-vchord_${VECTORCHORD_VER}-1_amd64.deb && \
+    apt install -y /tmp/vchord.deb && \
+    apt purge -y wget && apt autoremove -y && \
+    rm -rf /tmp/vchord.deb /var/lib/apt/lists/*

config/services/containers/infra/postgresql/config/pg_hba.conf.j2

@@ -0,0 +1,28 @@
+# @authcomment@
+# TYPE  DATABASE    USER    ADDRESS METHOD
+# Local host `trust`
+local   all all     trust
+
+# Local monitoring connection (host - infra VM) `trust`
+hostssl postgres    alloy   {{ hostvars['fw']['network4']['infra']['server'] }}/32  trust
+hostssl postgres    alloy   {{ hostvars['fw']['network6']['infra']['server'] }}/128 trust
+hostssl postgres    alloy   {{ hostvars['fw']['network4']['subnet']['lla'] }}   trust
+hostssl postgres    alloy   {{ hostvars['fw']['network6']['subnet']['lla'] }}   trust
+
+# Local connection (in postgresql container) needs password (127.0.0.1 - container loopback)
+host    all all 127.0.0.1/32    scram-sha-256
+host    all all ::1/128 scram-sha-256
+
+# Local connection (host - infra VM) needs password (169.254.1.0/24 - link_local subnet for containers in pasta mode)
+hostssl all all {{ hostvars['fw']['network4']['infra']['server'] }}/32  scram-sha-256
+hostssl all all {{ hostvars['fw']['network6']['infra']['server'] }}/128 scram-sha-256
+hostssl all all {{ hostvars['fw']['network4']['subnet']['lla'] }}   scram-sha-256
+hostssl all all {{ hostvars['fw']['network6']['subnet']['lla'] }}   scram-sha-256
+
+# auth VM
+hostssl all all {{ hostvars['fw']['network4']['auth']['server'] }}/32   scram-sha-256
+hostssl all all {{ hostvars['fw']['network6']['auth']['server'] }}/128  scram-sha-256
+
+# app VM (Applications, 192.168.10.13) 
+hostssl all all	{{ hostvars['fw']['network4']['app']['server'] }}/32    scram-sha-256
+hostssl all all	{{ hostvars['fw']['network6']['app']['server'] }}/128   scram-sha-256

config/services/containers/infra/postgresql/config/postgresql.conf.j2

@@ -0,0 +1,41 @@
+#------------------------------------------------------------------------------
+# CUSTOMIZED OPTIONS
+#------------------------------------------------------------------------------
+
+# Add settings for extensions here
+# Listen_address
+listen_addresses = '*'
+# Max connections
+max_connections = 250
+# listen_port
+port = 5432
+
+# SSL
+ssl = on
+ssl_ca_file = '/etc/ssl/postgresql/ilnmors_root_ca.crt'
+ssl_cert_file = '/etc/ssl/postgresql/postgresql.crt'
+ssl_key_file = '/etc/ssl/postgresql/postgresql.key'
+ssl_ciphers = 'HIGH:!aNULL:!MD5'
+ssl_prefer_server_ciphers = on
+
+# log
+log_destination = 'stderr'
+log_checkpoints = on
+log_temp_files = 0
+log_min_duration_statement = 500
+
+# IO
+track_io_timing = on
+
+## immich_config
+shared_preload_libraries = 'vchord.so'
+search_path = '"$user", public'
+max_wal_size = 5GB
+shared_buffers = 512MB
+wal_compression = on
+work_mem = 16MB
+autovacuum_vacuum_scale_factor = 0.1
+autovacuum_analyze_scale_factor = 0.05
+autovacuum_vacuum_cost_limit = 1000
+effective_io_concurrency = 200
+random_page_cost = 1.2

config/services/containers/infra/postgresql/postgresql.container.j2

@@ -0,0 +1,36 @@
+[Quadlet]
+DefaultDependencies=false
+
+[Unit]
+Description=PostgreSQL
+
+After=network-online.target
+Wants=network-online.target
+
+[Container]
+Image=ilnmors.internal/{{ node['name'] }}/postgres:pg{{ version['containers']['postgresql'] }}-vectorchord{{ version['containers']['vectorchord'] }}
+
+ContainerName=postgresql
+HostName=postgresql
+
+PublishPort=5432:5432/tcp
+
+Volume=%h/containers/postgresql/data:/var/lib/postgresql:rw
+Volume=%h/containers/postgresql/config:/config:ro
+Volume=%h/containers/postgresql/ssl:/etc/ssl/postgresql:ro
+Volume=%h/containers/postgresql/init:/docker-entrypoint-initdb.d/:ro
+Volume=%h/containers/postgresql/backups:/backups:rw
+
+Environment="TZ=Asia/Seoul"
+# This option is only for init process, after init custom config file `pg_hba.conf` will control this option.
+Environment="POSTGRES_HOST_AUTH_METHOD=trust"
+
+Exec=postgres -c 'config_file=/config/postgresql.conf' -c 'hba_file=/config/pg_hba.conf'
+
+[Service]
+Restart=always
+RestartSec=10s
+TimeoutStopSec=120
+
+[Install]
+WantedBy=default.target

config/services/containers/infra/postgresql/services/postgresql-cluster-backup.service

@@ -0,0 +1,18 @@
+[Unit]
+Description=PostgreSQL Cluster Backup Service
+After=postgresql.service
+BindsTo=postgresql.service
+
+[Service]
+Type=oneshot
+
+# logging
+StandardOutput=journal
+StandardError=journal
+
+ExecStartPre=/usr/bin/podman exec postgresql sh -c "mkdir -p /backups/cluster && chown postgres:root /backups/cluster && chmod 770 /backups/cluster"
+
+# Run the script
+ExecStart=/usr/bin/podman exec -u postgres postgresql sh -c 'pg_dumpall -U postgres --schema-only | grep -v -E "CREATE ROLE postgres" > /backups/cluster/pg_cluster_$(date "+%%Y-%%m-%%d").sql'
+ExecStart=/usr/bin/podman exec -u postgres postgresql sh -c "find /backups/cluster -maxdepth 1 -type f -mtime +7 -delete"
+ExecStart=/usr/bin/podman exec postgresql sh -c "chown -R postgres:root /backups/cluster && chmod 660 /backups/cluster/*"

config/services/containers/infra/postgresql/services/postgresql-cluster-backup.timer

@@ -0,0 +1,17 @@
+[Unit]
+Description=Run PostgreSQL Cluster Backup service every day
+
+[Timer]
+# Execute service after 1 min on booting
+OnBootSec=1min
+
+# Execute service every day 00:00
+OnCalendar=*-*-* 00:00:00
+# Random time to postpone the timer
+RandomizedDelaySec=15min
+
+# When timer is activated, Service also starts.
+Persistent=true
+
+[Install]
+WantedBy=timers.target

config/services/containers/infra/postgresql/services/postgresql-data-backup@.service

@@ -0,0 +1,19 @@
+[Unit]
+Description=PostgreSQL Data %i Backup Service
+After=postgresql.service
+BindsTo=postgresql.service
+
+[Service]
+Type=oneshot
+
+# logging
+StandardOutput=journal
+StandardError=journal
+
+ExecStartPre=/usr/bin/podman exec postgresql sh -c "mkdir -p /backups/%i && chown postgres:root /backups/%i && chmod 770 /backups/%i"
+
+# Run the script
+ExecStart=/usr/bin/podman exec -u postgres postgresql sh -c 'printf "\\connect %i_db\n" > /backups/%i/pg_%i_$(date "+%%Y-%%m-%%d").sql'
+ExecStart=/usr/bin/podman exec -u postgres postgresql sh -c 'pg_dump -U postgres -d %i_db --data-only >> /backups/%i/pg_%i_$(date "+%%Y-%%m-%%d").sql'
+ExecStart=/usr/bin/podman exec -u postgres postgresql sh -c "find /backups/%i -maxdepth 1 -type f -mtime +7 -delete"
+ExecStart=/usr/bin/podman exec postgresql sh -c "chown -R postgres:root /backups/%i && chmod 660 /backups/%i/*"

config/services/containers/infra/postgresql/services/postgresql-data-backup@.timer

@@ -0,0 +1,17 @@
+[Unit]
+Description=Run %i Data Backup service every day
+
+[Timer]
+# Execute service after 1 min on booting
+OnBootSec=1min
+
+# Execute service every day 00:00
+OnCalendar=*-*-* 00:00:00
+# Random time to postpone the timer
+RandomizedDelaySec=15min
+
+# When timer is activated, Service also starts.
+Persistent=true
+
+[Install]
+WantedBy=timers.target